ScriptTiger
commented
5 years ago I haven't bought into DoH yet for several reasons, but I'm tracking its progress. Using Tor DNS (DNSPort, DNSListenAddress) as a forwarder in combination with a local DNS server (i.e. DualServer), hosts files, and other tactics is still better. DoH is encrypted, yes, which may make it seem obviously better, but it's actually just bringing common HTTPS analytics with it (https://mailarchive.ietf.org/arch/msg/doh/vHjITrOMhWSdrozGFe4-eGNMEJc).
The feature that @dnmTX is pointing out here is analogous to the feature set shift from SOCKS4 to SOCKS5 proxies. SOCKS4 cannot resolve queries on the remote proxy server, so DNS queries are "leaked" by the local machine before being requested through the remote proxy server. However, SOCKS5 proxies support UDP and remote DNS resolution and bypass local DNS resolution and your local hosts file. So basically SOCKS4 uses your hosts file, while SOCKS5 does not and bypasses it.
In the end some people want to bypass local resolution, some people don't. Depending on the circumstances, the choice may not be as "obvious" as current trending news makes it out to be. The "authorities" pushing the hardest on things like this (i.e. Cloudflare) are businesses and are not just benevolently hosting free services, but rather hosting a product with means of revenue generation by way of, but not limited to, monetizing your DNS traffic and other data. As we "modernize" and move towards "decentralizing" our services and moving to the "cloud," there are actually only a few cloud providers (i.e. AWS, Azure, Google, etc.), all selling an illusion of decentralization, while in reality we are actually centralizing more services with them than ever before. Services like Cloudflare easily lure consumers, who in turn bypass their ISP DNS servers and jump to Cloudflare's, making Cloudflare's big data set even more valuable as users from across the globe utilize them instead of the more decentralized regional and ISP DNS servers. They have basically found an extremely easy marketing funnel to exploit with huge return on investment.
I think the funniest thing is all the hype related to "governments and ISPs don't want you to use DoH." It actually doesn't affect governments in the slightest, as they can either indirectly monitor your DNS traffic by law by acquiring a court-ordered subpoena and taking advantage of data retention laws (or just backdoor APIs directly connecting government systems) or directly monitor your traffic like how the Russian government requires Internet companies to hand over encryption keys (obviously other governments also do this quietly). ISPs may actually be the ones losing out on this temporarily, but they are more in number and therefore more distributed than services like Cloudflare. And in the future ISPs will probably support DoH anyway and everything will be shipped to auto-configure your DoH the way modern DHCP does with DNS.
There is definite technological evolution at work here, but saying it's in any way more private would be hugely mistaken. DoH only ensures John Doe in the middle can't wiretap you and see your unencrypted DNS traffic. In reality 99.9% of people don't have a John Doe in the middle, but they are freely giving their traffic to a "trusted" server endpoint that's making more money and building more expansive profiles from their data than John Doe ever could. The common misconception of genius hackers sitting in a dark room somewhere breaking your Internet traffic to steal your valuable data is just not a reality 99.9% of the time, unless you really are a nation-state of some kind or some corporate with highly valued trade secrets. 99.9% of "hackers" in modern times are using software they downloaded or bought from somebody else, they are not well trained, they are not well organized, and they are just brute forcing large network ranges and vulnerability sets in hopes of catching something out of the billion devices they are scanning, in other words 99.9% of the time nobody is targeting you. The vast majority of data breaches you hear about in the news, if not all, came as a result of internal compromise, an employee doing something they shouldn't have against company policy or otherwise known best practices and some script kiddie, not evil genius hacker, stumbled upon it and exploited it.
spirillen
lightswitch05
iamaer4fa
rhy-ama
0xRustlang
stale[bot]
This is just informative post for the concerned party. As some of you know already Firefox, Chrome/Chromium(as of late) started implementing DOH on trial basis, which suppose to provide better privacy(bla bla bla). It is still very much in early stages but users can turn it on and use it, so i decided to check it out on my Chromium(Slimjet) browser. For now Chrome only offering the Cloudflare DOH. One can do basic check here: https://www.cloudflare.com/ssl/encrypted-sni/
( if it's implemented on your end the "Secure DNS" should be green):
Even though my hosts files are placed in my router i was able to access blocked domains without any problems. Not sure about all of them but i tried
insomniagamingfestival.com(which is blocked in @StevenBlack's lists) and some others and they all opened just fine. I'm also not sure that this is the case with Firefox but i'd assume that it is. Disabling that new feature(DOH) returned everything back to normal. Bottom line is if one decide to use DOH(which in near feature will be implemented as standard option) has to solely rely on the chosen DNS(DOH) provider for protection as it is bypassing the hosts completely. More feedback will be appreciated. Anyone who wants to try it, post your results. Thank you !!!!!P. S. To turn DOH on: Firefox: Google it, instructions are easy to find. Chrome(Chromium): For now onliest way to turn it on is to run the browser with the following command line switches:
--enable-features="dns-over-https<DoHTrial"--force-fieldtrials="DoHTrial/Group1"--force-fieldtrial-params="DoHTrial. Group1:server/https%3A%2F%2Fcloudflare-dns%2Ecom%2Fdns-query/method/POST"